[ubuntu-hardened] hiding ssh version
TJ Easter
tjeaster at gmail.com
Sun Apr 5 21:04:31 BST 2009
FWIW, I make use of all banner hiding capabilities on public services
(i.e., the ServerTokens parameter in Apache's configuration) as I do
consider it defense-in-depth. However, with SSH potentially using the
version banner to negotiate features and functionality, I'd recommend
against using the patch. I use iptables(8) to lock down access to my
SSH daemon -- in addition to libwrap -- so the only people who are
ever even able to see the banner are likely to be hosts that I "trust"
anyway.
Regards,
TJ Easter
On Sun, Apr 5, 2009 at 9:44 AM, Kees Cook <kees at ubuntu.com> wrote:
> Hi Dan,
>
> On Sat, Mar 28, 2009 at 03:09:36PM -0600, Dan Howerton wrote:
>> Is it not possible to get a package in the repos that incorporates this
>> patch and other hardening measures such as denyhosts? Possibly an
>> ssh-hardened package? It doesn't have to be something that is pushed out
>> with the distro by default but something that people can install if they
>> choose to.
>
> I don't think it makes sense to have a forked ssh package in the primary
> archive. However, there's nothing to stop someone from building openssh
> with the patch and hosting it in their PPA.
>
> -Kees
>
> --
> Kees Cook
> Ubuntu Security Team
>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>
--
"Being a humanist means trying to behave decently without expectation
of rewards or punishment after you are dead." -- Kurt Vonnegut, 1922
- 2007
http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0x5EB6E92FE2340DEF
More information about the ubuntu-hardened
mailing list